From 2f01b635da53d9e24e5693a26da6daef9a1969ee Mon Sep 17 00:00:00 2001
From: kuantum <kuantum@noreply.codeberg.org>
Date: Fri, 17 Mar 2023 15:16:08 +0000
Subject: [PATCH] harden docker-compose.yml

`user: nobody`: the least privileged account.
`read_only: true`: this container doesn't write anything to the filesystem, this removes a vector.
`security_opt`: disallows the container to grab more privileges.
`cap_drop`: this container doesn't need any capabilities, drop them.
`networks`: put `libreddit` into its own network so it cannot see other containers by default.
---
 docker-compose.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 3369fd5..fc44fbb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,3 +8,14 @@ services:
     ports:
       - 3000:3000
     restart: unless-stopped
+    user: 65534:65534 # equivalent to `nobody`
+    read_only: true
+    security_opt:
+      - no-new-privileges: true
+    cap_drop:
+      - ALL
+    networks:
+      - rimgo
+
+networks:
+  - rimgo
\ No newline at end of file